Getting Data In

How to monitor switch, router... and other Cisco devices using SNMP.

ledaipro
Explorer

Hi.

Using NET-SNMP on Windows to receive and log SNMP traps to a file, and I want Splunk monitor that file. How to do this?
I installed NET-SNMP on Windows
What is next step?

0 Karma

friea
Splunk Employee
Splunk Employee

Have you taken a look at the Cisco Networks app for Splunk? https://splunkbase.splunk.com/app/1352/

woodcock
Esteemed Legend

santiagoaloi
Path Finder

Hey!

This is fairly simple since you will be monitoring just one file containing all your SNMP traps logs.
Assuming your Splunk indexer is located in a dedicated server somewhere else, you will have to install an Universal Forwarder in the Windows instance where the snmp traps log file is located..

Download the Universal Forwarder, install it and as a best practice I would recommend you to create an inputs.conf and outputs.conf file located inside an app, which is basically a directory where you will palce both files for snmp traps, for example:
$SPLUNK_HOME\etc\apps\UF-SNMP_collection. This will be a scalable way of managing all your inputs centrally from a deployment-server.


Universal Forwarder

UF-SNMP_collection > default > inputs.conf

[monitor://C:\folder1\folder2\snmptraps.log]
host          = yourhostname
index         = (defaults to *main*, but creating a test index is a best practice)
sourcetype    = snmptraps could be a good one.

UF-SNMP_collection > default > outputs.conf

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = yourindexer:9997

Splunk Indexer or Search Head

Define an app name, for example "APP-SNMP" and then create two sub-folders default and metadata.

If your Splunk indexer is located in the same Windows instance as your snmp traps log file, just place the inputs.conf file together with the props.conf file within this app and discard the outputs.conf file step.

APP-SNMP > default >props.conf

These parameters are examples of best practices for line breaking, and search optimization , you will have to tweak them according to your snmp trap logs timestamp format and location within log. Read about this in Splunk Docs, you don't have to do it, but its good to know it 🙂

[snmptraps]

# Accurarte line breaking steps 

TIME_FORMAT              = %b %d %H:%M:%S %Z%z %Y 
TIME_PREFIX              = \w+\s\w+\s\d+\s\d+\s\d+:\d+:\d+
LINE_BREAKER             = ([\n\r])\w+\s\w+\s\d+\s\d+\s\d+:\d+:\d+
MAX_TIMESTAMP_LOOKAHEAD  = 25
TRUNCATE                 = 50000

# field extraction

EXTRACT-field_foo       = some regex
EXTRACT-field_bar        = some regex

APP-SNMP > metadata > default.meta

[]
access = read : [ * ], write : [ admin ]
export = system

All the filed extractions should be placed within this app context so you have a better control of it.

Normally when you do the filed extraction in Splunk GUI, the props.conf will be placed in a local folder of the app context you are standing.

Commonly search or launcher, so check either:

$SPLUNK_HOME\etc\apps\launcher\local\props.conf
$SPLUNK_HOME\etc\apps\search\local\props.conf
$SPLUNK_HOME\etc\user\**youruser**\search\local\props.conf
$SPLUNK_HOME\etc\user\**youruser**\launcher\local\props.conf

ledaipro
Explorer

but how to send snmp trap from switch to splunk machine, i have installed net-snmp on splunk machine, and configured snmp on switch 😞

0 Karma

santiagoaloi
Path Finder

Ok , as I understood you are dumping all the SNMP traps into a log file, right?
You will have to either monitor that log file, assuming you have installed Splunk Enterprise in the same machine where the file is, or use an Universal Forwarder as I described above, to monitor that file and forward it to the indexer.

0 Karma

ledaipro
Explorer

I have installed NET-SNMP on splunk machine (winserver 2008 R2).
1. splunk machine
- edit file C:/usr/ etc/snmp/snmptrapd.conf
snmpTrapdAddr 192.168.1.100:162
authCommunity log public
- Add data ->monitor-> UDP port 162
2. Router
I configured
Router(config)# snmp-server community public ro
Router(config)# snmp-server community public rw
Router(config)# snmp-server host 192.168.1.100 version 2 public

But on splunk machine i didn't receive snmp. what did wrong?

0 Karma

ledaipro
Explorer

thank you for this reply. this is very helpful!

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...